‘Banking’ Malware Dridex Arrives via Phishing Email

Microsoft Office scripting malware has become more and more common and aggressive lately as malware authors constantly develop new techniques to evade detection and deceive users.

This kind of malware, as mentioned in previous posts, usually arrives as an attached document within a phishing email. After the “document” is opened, it downloads the second-stage payload, which downloads and executes the final payload that infects the host machine.

In a recent case involving the Dridex malware, McAfee Labs found the distribution method to be typical: The malware arrives via a phishing email:

We have discovered that the attached document can arrive in one of two variants:

The first variant comes as an XML document (.XML or .DOC) containing an embedded Office object encrypted in base 64. The object is decrypted and executed when the XML file is opened.
The embedded ActiveMime object contains an encrypted OLE document that is decrypted and executed just after the Office object is opened by the XML file.
The OLE file then executes a malicious embedded macro that contains code similar to what we see in the following image. This code executes PowerShell and downloads the Dridex Loader.

The second variant comes as a Word or Excel file (.DOC or .XLS) that contains an Office Active Object which executes the malicious code in the OLE file as native OLE code.Thus, even if the user has not enabled the execution of macros, the malware can execute by running the malicious code directly from the OLE file. To deceive the user, the malware presents a document file with an Active Object embedded. As shown in the following image, the user is warned about opening malicious Active Objects, similar to the warning displayed next whenever a user tries to open a document containing an embedded macro:
An incautious user might open the embedded Active Object by ignoring the warning and double-clicking the object. In this case, the downloader code will run by executing a PowerShell instance, as in the previous variant.

In either case, the embedded malicious code will execute a command-line instruction that runs powershell.exe with the following parameters: